Norwegian retailers will face complex challenges as they seek to innovate in an increasingly cashless future—rapidly evolving cybercrime threats, new European privacy regulations and an increasingly competitive, global market. In this post, we briefly explore current areas of concern for managing cyber risk in the retail sector.
Only 6% of Norwegians use cash regularly and our large financial institutions are lobbying to eliminate the cash economy by 2020. Whether this deadline is met or not, it’s clear that Norwegian retailers will demonstrate to the world both the opportunity and the risk that come with an increasingly cashless future. At the same time, retailers must learn to navigate new European privacy regulations while continuing to develop personalized, omnichannel customer experiences in an increasingly competitive, global market.
In addition to the obvious benefits, adoption of new technology also brings risk—risk that is often not so easy to see at the outset. The risk associated with new technology becomes understood over time and is constantly changing, but like all risk, it can be assessed and managed. In this blog post, we briefly explore current areas of concern for managing cyber risk in the retail sector.
Criminals continue to target online stores to obtain account information, extort ransom or execute fraudulent transactions. In the last two years, 150,000 Norwegians were victims of identity theft. One of the ways this personal information is often stolen and later used is via online retail sites. Criminals who may have previously engaged in traditional on-site robbery and fraud are increasingly moving online. Europol’s latest annual cybercrime report found that remote cybercrime is becoming easier to execute and offers a low risk, high reward alternative for existing criminal organizations.
The 2013 breach of US Target Corporation that affected 110 million customers began with attackers obtaining legitimate network access credentials that Target had provided to one of their vendors. There have been many similar incidents in the Scandinavian region—businesses have seen thousands of customers impacted because vendors’ security was compromised. In 2012, many Norwegian online stores had their user accounts and passwords breached through the weak security of their hosting and content management provider, Demo Store AS. In 2013, the Coop HotellKupp reward program experienced a breach of 96,000 customer records when their service provider Loyaltybuild was compromised.
Although online attacks are on the rise, on-site fraud and breaches still occur via electronic POS terminals. The use of fraudulent cards copied via skimming or real cards obtained under stolen identities is an ongoing problem in Norway. POS malware is also becoming increasingly sophisticated and effective at stealing card information directly from vulnerable retail POS systems. Sophisticated attacks may combine remote hacking with on-site activities such as installation of malware via exposed USB ports or even swapping out entire devices with malicious look-alikes.
Datatilsynet’s report “The Great Data Race” explains several common commercial uses of personal information for online profiling and tracking that may violate Norway’s existing privacy laws—and more rules are coming. Tougher European data protection rules will be applicable in 2018, including possible fines of up to 4% of retailers’ global revenue for non-compliance.
Norwegian retailers that store, process or transmit cardholder data in the course of business are responsible for maintaining PCI DSS compliance. Although the means of measuring and reporting compliance differs based on the number of transactions a retailer processes annually, this compliance requirement applies to retailers of all sizes. However, as the Target breach and others have demonstrated, compliance audits are an observation at a point in time and a successful audit does not guarantee that a merchant will be able to effectively prevent or detect a future breach.
A successful approach to cyber risk management starts with business leaders becoming aware of strategic threats and the business’s current capabilities to prevent, detect and respond to those threats. Even in the event of significant breaches, customers have shown a surprising capacity to forgive and forget. However, retailers should expect cyber threats and consumer awareness of these issues to continue increasing into the future. This means gaining and keeping customer trust will increasingly depend on retailers not only taking reasonable steps to prevent breaches, but also having strong detection capabilities and a tested response plan in place.
It’s not enough to achieve compliance with standards at a point in time, or even to maintain it over time. Today’s retail threat landscape is changing faster than the smorgasbord of available standards can be updated to address it. Compliance with relevant standards can be a great starting point for effective risk management, but it’s not the finish line.
Cyber risk management is best undertaken as a continuous process that includes threat awareness, the establishment of business-specific performance indicators and ongoing measurement to track the effectiveness of controls against current threats. From this state of awareness, business leaders can support the integration of appropriate security and privacy measures as part of normal operations using an adaptive approach. By shifting resources over time to continually address the most relevant threats and vulnerabilities for their business, retailers can effectively protect their most valuable assets—their customers’ loyalty and trust.